Was that a photo of a new red ring around the planet Uranus, tweeted out by NASA’s Kepler account?
Guess not. They were actually panties. NASA’s Twitter account was briefly hijacked.
The peculiar stellar body that the hijacker(s) displayed on Wednesday was only up for 16 minutes before NASA wrestled back its Twitter controls.
In that narrow window of time, the post was captured by PostGhost, which archives celebrities’ deleted posts (possibly NSFW).
This isn’t standard fare for NASA’s Kepler mission, which more typically puts out news about things like finding a clump of 9 new habitable planets: those within the range of distance from a star where they could have surface temperatures that allow liquid water to pool.
In contrast, a hijacked Twitter account is, unfortunately, pretty standard fare.
We’ve seen account takeovers of Mark Zuckerberg, of Tesla and Elon Musk (with the hijackers offering free cars), of a teacher who unwittingly got turned into a porn star, of, ironically enough, Twitter CFO Anthony Noto, and of Black Lives Matter activist DeRay Mckesson, whom the account kidnappers turned into a Donald Trump supporter, to name just a few.
How could the @NASAKepler hijackers have gained control of the account? Let us count the ways…
If NASA reused the password on other sites, the crooks could have found it by sifting through previous data dumps. That’s the technique that Zuckerberg’s hijackers claimed to have used: specifically, s/he/they claimed to have found his (apparently reused) password by sifting through the password dump of stolen LinkedIn accounts that was posted in May.
That’s exactly why we urge you not to reuse passwords on different sites: if one of those sites gets breached, crooks can use the same login to get into wherever else you’ve used it.
They can get into your social media accounts to embarrass you, get access to your contacts, commit identity theft, and drain your banking accounts.
It’s really a bad idea to use a password twice, and here’s why.
Willy-nilly clicking on links in email is another way to get into trouble.
Phishing might sound old-school, but some of the true classics are still extremely successful.
In fact, a study from Google and the University of California, San Diego, found that there are some phishing sites that are so convincing, they work on an eye-popping 45% of visitors.
Or perhaps NASA didn’t practice good password etiquette: perhaps a staffer gave the password away to someone, or maybe it was the name of somebody’s pet. We just don’t know.
What we do know is that multifactor authentication – what Twitter refers to as login vertification – should help defend against account hijackings.
If you haven’t yet set it up for your Twitter account, why not do it today?
Having said that, note that there’s another way to hijack Twitter accounts, and muilti-factor authentication doesn’t stop it. As DeRay Mckesson found out, crooks social engineered his phone carrier into changing his phone’s SIM, thereby managing to intercept the SMS messages sent out by login verification when they changed his password.
The phone carriers have ways to set up passwords to defeat that strategy: we put out instructions for four major US carriers in the story.
Of course, as one tweet suggested, it could be a drop-dead-dumb, crazily guessable password that lead to the moon shot on @NASAKepler:
@NASAKepler I hope your password wasn’t “54321blastoff”
— Steve (@indylead) July 6, 2016
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
Follow @LisaVaas
clever title Lisa. Thanks for the article–and as always for the great reminders and advice.
Awesome, Lisa!!!
PostGhost has been shut down by Twitter, very much as PolitWoops was. Hopefully it will return in the same way as per it’s calm, thoughtfully-worded open letter on that link.